• Pablo Neira Ayuso's avatar
    netfilter: nfnetlink: fix insufficient validation in nfnetlink_bind · 97840cb6
    Pablo Neira Ayuso authored
    Make sure the netlink group exists, otherwise you can trigger an out
    of bound array memory access from the netlink_bind() path. This splat
    can only be triggered only by superuser.
    
    [  180.203600] UBSan: Undefined behaviour in ../net/netfilter/nfnetlink.c:467:28
    [  180.204249] index 9 is out of range for type 'int [9]'
    [  180.204697] CPU: 0 PID: 1771 Comm: trinity-main Not tainted 3.18.0-rc4-mm1+ #122
    [  180.205365] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org
    +04/01/2014
    [  180.206498]  0000000000000018 0000000000000000 0000000000000009 ffff88007bdf7da8
    [  180.207220]  ffffffff82b0ef5f 0000000000000092 ffffffff845ae2e0 ffff88007bdf7db8
    [  180.207887]  ffffffff8199e489 ffff88007bdf7e18 ffffffff8199ea22 0000003900000000
    [  180.208639] Call Trace:
    [  180.208857] dump_stack (lib/dump_stack.c:52)
    [  180.209370] ubsan_epilogue (lib/ubsan.c:174)
    [  180.209849] __ubsan_handle_out_of_bounds (lib/ubsan.c:400)
    [  180.210512] nfnetlink_bind (net/netfilter/nfnetlink.c:467)
    [  180.210986] netlink_bind (net/netlink/af_netlink.c:1483)
    [  180.211495] SYSC_bind (net/socket.c:1541)
    
    Moreover, define the missing nf_tables and nf_acct multicast groups too.
    Reported-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    97840cb6
nfnetlink.c 12.9 KB